1. Field of the Invention
The present invention relates to algorithmic processings performed on digital data manipulated by a microprocessor or an integrated circuit. The present invention more specifically relates to the processings performed on digital data in cryptographic ciphering or authentication applications implementing so-called secure algorithms. In such applications, the data manipulated by the algorithms and on which operations are performed must be protected against piracy, that is, external attacks aimed at discovering secret and/or calculation data.
2. Discussion of the Related Art
An example of an external attack against which the present invention aims at protecting relates to attacks known as SPA (single power analysis) or DPA (differential power analysis) attacks, which consist of analyzing the power consumption of the integrated circuit manipulating the data during execution of an algorithm. Indeed, when an integrated circuit (be it a microprocessor or an operator in wired logic) executes a calculation on data, the processing and the data have an effect upon its power consumption.
An example of an algorithm to which the present invention applies is the so-called RSA algorithm using the so-called Chinese remainder theorem (CRT) such as described, for example, in paper “The Chinese Remainder Theorem and its application in a high-speed RSA crypt-chip” by P. J. Grossschad, Computer Security Applications 2000 ACSAC'00, 16th Annual Conference, 11-15 Dec. 2000, pages 384-393, which is incorporated herein by reference.
Conventionally, to mask the processing of one or several numbers, these numbers are combined with random quantities, before the algorithmic processing.
A disadvantage is that this modifies the processed number(s), which requires performing an inverse modification at the end of the processing to recover the expected result. Another disadvantage is that the masking by a random number increases the complexity of the processing as well as the duration of the entire calculation.